InfoSecBulletin Cybersecurity for mankind
On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers databases, middleware, cloud services, and communication applications essential for global financial institutions, telecom providers, and cloud-native platforms.
Key Highlights:
CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
Oracle Communications Applications had 42 new security updates, including 35 vulnerabilities that can be exploited remotely without authentication.
Oracle Commerce released 6 new patches, including five critical remote code execution vulnerabilities, like CVE-2025-24813 (CVSS 9.8), which impact Apache Tomcat in the Guided Search component.
Oracle Database Server received 7 new patches, including 3 that are remotely exploitable, like CVE-2025-30736, which affects Java VM.
Oracle GoldenGate and TimesTen In-Memory Database both had several serious vulnerabilities, including CVEs related to Axios, Apache Commons IO, and Netty.
Critical Vulnerability Statistics:
Total vulnerabilities addressed: 378
Unique CVEs fixed (excluding duplicates across products): 171
Remotely exploitable without authentication: 255 vulnerabilities
High-severity issues (CVSS v3.1 score ≥ 7.0): 162 vulnerabilities
CVSS ≥ 9.0 (Critical): 40 vulnerabilities
CVSS 9.8 (very high severity): 30 vulnerabilities
No CVSS 10.0 vulnerabilities were reported
The CPU affects a wide swath of Oracle offerings, including:
Oracle Database Server (versions 19.3–23.7)
Oracle Communications Suite (Unified Assurance, Messaging Server, Network Integrity)
Oracle GoldenGate, Graph Server, Essbase, Secure Backup
Oracle Java SE, Fusion Middleware, SOA Suite, WebLogic Server
Retail, Financial Services, E-Business Suite, PeopleSoft, and more
Oracle reiterates in its advisory that “attackers have been successful because targeted customers had failed to apply available Oracle patches.” The company urges users to remain on actively supported versions and apply the updates without delay.
Oracle advises organizations that are behind on patch cycles to upgrade to supported versions, as older versions likely contain vulnerabilities.
